]> git.ipfire.org Git - thirdparty/strongswan.git/blame - src/_updown/_updown.in
projects / thirdparty / strongswan.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
updown: Properly configure ICMP[v6] message type and code in firewall rules
[thirdparty/strongswan.git] / src / _updown / _updown.in
CommitLineData
997358a6
MW		 1#! /bin/sh
2# iproute2 version, default updown script
3#
4# Copyright (C) 2003-2004 Nigel Meteringham
5# Copyright (C) 2003-2004 Tuomo Soini
6# Copyright (C) 2002-2004 Michael Richardson
ef014519 7# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
8b3b4a24 8#
997358a6
MW		 9# This program is free software; you can redistribute it and/or modify it
10# under the terms of the GNU General Public License as published by the
11# Free Software Foundation; either version 2 of the License, or (at your
12# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
8b3b4a24 13#
997358a6
MW		 14# This program is distributed in the hope that it will be useful, but
15# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17# for more details.
997358a6
MW		 18
19# CAUTION: Installing a new version of strongSwan will install a new
20# copy of this script, wiping out any custom changes you make. If
21# you need changes, make a copy of this under another name, and customize
22# that, and use the (left/right)updown parameters in ipsec.conf to make
23# strongSwan use yours instead of this default one.
24
25# things that this script gets (from ipsec_pluto(8) man page)
26#
27# PLUTO_VERSION
28# indicates what version of this interface is being
29# used. This document describes version 1.1. This
30# is upwardly compatible with version 1.0.
31#
32# PLUTO_VERB
33# specifies the name of the operation to be performed
34# (prepare-host, prepare-client, up-host, up-client,
35# down-host, or down-client). If the address family
8af25c56 36# for security gateway to security gateway communica-
997358a6
MW		 37# tions is IPv6, then a suffix of -v6 is added to the
38# verb.
39#
40# PLUTO_CONNECTION
41# is the name of the connection for which we are
42# routing.
43#
997358a6
MW		 44# PLUTO_INTERFACE
45# is the name of the ipsec interface to be used.
46#
47# PLUTO_REQID
c5d9b133
MW		 48# is the requid of the AH|ESP policy
49#
50# PLUTO_PROTO
51# is the negotiated IPsec protocol, ah|esp
997358a6 52#
2ce40343
EH		 53# PLUTO_UNIQUEID
54# is the unique identifier of the associated IKE_SA
55#
997358a6
MW		 56# PLUTO_ME
57# is the IP address of our host.
58#
59# PLUTO_MY_ID
60# is the ID of our host.
61#
62# PLUTO_MY_CLIENT
63# is the IP address / count of our client subnet. If
64# the client is just the host, this will be the
65# host's own IP address / max (where max is 32 for
66# IPv4 and 128 for IPv6).
67#
997358a6 68# PLUTO_MY_SOURCEIP
2df15595
MW		 69# PLUTO_MY_SOURCEIP4_$i
70# PLUTO_MY_SOURCEIP6_$i
71# contains IPv4/IPv6 virtual IP received from a responder,
72# $i enumerates from 1 to the number of IP per address family.
73# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
74# virtual IP, IPv4 or IPv6.
997358a6
MW		 75#
76# PLUTO_MY_PROTOCOL
77# is the IP protocol that will be transported.
78#
79# PLUTO_MY_PORT
80# is the UDP/TCP port to which the IPsec SA is
9739a0bf
TB		 81# restricted on our side. For ICMP/ICMPv6 this contains the
82# message type, and PLUTO_PEER_PORT the message code.
997358a6
MW		 83#
84# PLUTO_PEER
85# is the IP address of our peer.
86#
87# PLUTO_PEER_ID
88# is the ID of our peer.
89#
997358a6 90# PLUTO_PEER_CLIENT
8af25c56 91# is the IP address / count of the peer's client sub-
997358a6
MW		 92# net. If the client is just the peer, this will be
93# the peer's own IP address / max (where max is 32
94# for IPv4 and 128 for IPv6).
95#
997358a6
MW		 96# PLUTO_PEER_PROTOCOL
97# is the IP protocol that will be transported.
98#
99# PLUTO_PEER_PORT
100# is the UDP/TCP port to which the IPsec SA is
9739a0bf
TB		 101# restricted on the peer side. For ICMP/ICMPv6 this contains the
102# message code, and PLUTO_MY_PORT the message type.
997358a6 103#
16c97c8e
AS		 104# PLUTO_XAUTH_ID
105# is an optional user ID employed by the XAUTH protocol
106#
107# PLUTO_MARK_IN
108# is an optional XFRM mark set on the inbound IPsec SA
109#
110# PLUTO_MARK_OUT
111# is an optional XFRM mark set on the outbound IPsec SA
112#
6d71f4dc 113# PLUTO_UDP_ENC
16c97c8e
AS		 114# contains the remote UDP port in the case of ESP_IN_UDP
115# encapsulation
964f6372 116#
2b08ae45
MW		 117# PLUTO_DNS4_$i
118# PLUTO_DNS6_$i
119# contains IPv4/IPv6 DNS server attribute received from a
120# responder, $i enumerates from 1 to the number of servers per
121# address family.
122#
997358a6 123
c2bb1eca 124# define a minimum PATH environment in case it is not set
b7b56533 125PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@"
c2bb1eca
AS		 126export PATH
127
997358a6
MW		 128# uncomment to log VPN connections
129VPN_LOGGING=1
130#
131# tag put in front of each log entry:
132TAG=vpn
133#
134# syslog facility and priority used:
135FAC_PRIO=local0.notice
136#
137# to create a special vpn logging file, put the following line into
138# the syslog configuration file /etc/syslog.conf:
139#
140# local0.notice -/var/log/vpn
f6f55adb
AS		 141
142# in order to use source IP routing the Linux kernel options
143# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
144# must be enabled
145#
146# special routing table for sourceip routes
b7b56533 147SOURCEIP_ROUTING_TABLE=@routing_table@
997358a6 148#
f6f55adb 149# priority of the sourceip routing table
b7b56533 150SOURCEIP_ROUTING_TABLE_PRIO=@routing_table_prio@
997358a6
MW		 151
152# check interface version
153case "$PLUTO_VERSION" in
1541.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
155 echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
156 echo "$0: called by obsolete Pluto?" >&2
157 exit 2
158 ;;
1591.*) ;;
160*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
161 exit 2
162 ;;
163esac
164
165# check parameter(s)
166case "$1:$*" in
167':') # no parameters
168 ;;
169iptables:iptables) # due to (left/right)firewall; for default script only
170 ;;
171custom:*) # custom parameters (see above CAUTION comment)
172 ;;
173*) echo "$0: unknown parameters \`$*'" >&2
174 exit 2
175 ;;
176esac
177
178# utility functions for route manipulation
179# Meddling with this stuff should not be necessary and requires great care.
180uproute() {
181 doroute add
182 ip route flush cache
183}
184downroute() {
185 doroute delete
186 ip route flush cache
187}
188
189addsource() {
190 st=0
191 if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
192 then
193 it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
194 oops="`eval $it 2>&1`"
195 st=$?
196 if test " $oops" = " " -a " $st" != " 0"
197 then
198 oops="silent error, exit status $st"
199 fi
200 if test " $oops" != " " -o " $st" != " 0"
201 then
202 echo "$0: addsource \`$it' failed ($oops)" >&2
203 fi
204 fi
205 return $st
206}
207
208doroute() {
209 st=0
997358a6
MW		 210
211 if [ -z "$PLUTO_MY_SOURCEIP" ]
212 then
14c408ee
AS		 213 for dir in /etc/sysconfig /etc/conf.d; do
214 if [ -f "$dir/defaultsource" ]
215 then
216 . "$dir/defaultsource"
217 fi
218 done
997358a6
MW		 219
220 if [ -n "$DEFAULTSOURCE" ]
221 then
222 PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
223 fi
224 fi
225
ef014519
AS		 226 if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
227 then
228 # leave because no route entry is required
229 return $st
230 fi
231
232 parms1="$PLUTO_PEER_CLIENT"
233
f6f55adb 234 if [ -n "$PLUTO_NEXT_HOP" ]
ef014519 235 then
f6f55adb 236 parms2="via $PLUTO_NEXT_HOP"
ef014519 237 else
f6f55adb 238 parms2="via $PLUTO_PEER"
8b3b4a24 239 fi
ef014519
AS		 240 parms2="$parms2 dev $PLUTO_INTERFACE"
241
997358a6 242 parms3=
f6f55adb 243 if [ -n "$PLUTO_MY_SOURCEIP" ]
997358a6 244 then
f6f55adb
AS		 245 if test "$1" = "add"
246 then
247 addsource
ca694c61 248 if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
f6f55adb 249 then
ca694c61 250 ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
f6f55adb
AS		 251 fi
252 fi
ca694c61 253 parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
997358a6
MW		 254 fi
255
256 case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
257 "0.0.0.0/0.0.0.0")
258 # opportunistic encryption work around
8b3b4a24 259 # need to provide route that eclipses default, without
997358a6
MW		 260 # replacing it.
261 it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
262 ip route $1 128.0.0.0/1 $parms2 $parms3"
263 ;;
ef014519 264 *) it="ip route $1 $parms1 $parms2 $parms3"
997358a6
MW		 265 ;;
266 esac
267 oops="`eval $it 2>&1`"
268 st=$?
269 if test " $oops" = " " -a " $st" != " 0"
270 then
271 oops="silent error, exit status $st"
272 fi
273 if test " $oops" != " " -o " $st" != " 0"
274 then
275 echo "$0: doroute \`$it' failed ($oops)" >&2
276 fi
277 return $st
278}
8b3b4a24
MW		 279
280# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
997358a6
MW		 281if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
282then
ef014519 283 KLIPS=1
997358a6
MW		 284 IPSEC_POLICY_IN=""
285 IPSEC_POLICY_OUT=""
286else
ef014519 287 KLIPS=
48175958 288 IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
997358a6
MW		 289 IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
290 IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
291fi
292
4c185d11
TB		 293# use protocol specific options to set ports
294case "$PLUTO_MY_PROTOCOL" in
2951) # ICMP
296 ICMP_TYPE_OPTION="--icmp-type"
297 ;;
29858) # ICMPv6
299 ICMP_TYPE_OPTION="--icmpv6-type"
300 ;;
301*)
302 ;;
303esac
304
997358a6
MW		 305# are there port numbers?
306if [ "$PLUTO_MY_PORT" != 0 ]
307then
4c185d11
TB		 308 if [ -n "$ICMP_TYPE_OPTION" ]
309 then
310 S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
311 D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
312 else
313 S_MY_PORT="--sport $PLUTO_MY_PORT"
314 D_MY_PORT="--dport $PLUTO_MY_PORT"
315 fi
997358a6
MW		 316fi
317if [ "$PLUTO_PEER_PORT" != 0 ]
318then
4c185d11
TB		 319 if [ -n "$ICMP_TYPE_OPTION" ]
320 then
321 # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
322 S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
323 D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
324 else
325 S_PEER_PORT="--sport $PLUTO_PEER_PORT"
326 D_PEER_PORT="--dport $PLUTO_PEER_PORT"
327 fi
997358a6
MW		 328fi
329
bb7b613b
AS		 330# resolve octal escape sequences
331PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
332PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
333
997358a6
MW		 334# the big choice
335case "$PLUTO_VERB:$1" in
336prepare-host:*|prepare-client:*)
7a1f49c3
AS		 337 if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
338 then
339 # exit because no route will be added,
340 # so that existing routes can stay
341 exit 0
342 fi
343
997358a6
MW		 344 # delete possibly-existing route (preliminary to adding a route)
345 case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
346 "0.0.0.0/0.0.0.0")
8b3b4a24 347 # need to provide route that eclipses default, without
997358a6
MW		 348 # replacing it.
349 parms1="0.0.0.0/1"
350 parms2="128.0.0.0/1"
351 it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
352 oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
353 ;;
354 *)
355 parms="$PLUTO_PEER_CLIENT"
356 it="ip route delete $parms 2>&1"
357 oops="`ip route delete $parms 2>&1`"
358 ;;
359 esac
360 status="$?"
361 if test " $oops" = " " -a " $status" != " 0"
362 then
363 oops="silent error, exit status $status"
364 fi
365 case "$oops" in
8b3b4a24 366 *'RTNETLINK answers: No such process'*)
997358a6
MW		 367 # This is what route (currently -- not documented!) gives
368 # for "could not find such a route".
369 oops=
370 status=0
371 ;;
372 esac
373 if test " $oops" != " " -o " $status" != " 0"
374 then
375 echo "$0: \`$it' failed ($oops)" >&2
376 fi
377 exit $status
378 ;;
379route-host:*|route-client:*)
380 # connection to me or my client subnet being routed
381 uproute
382 ;;
383unroute-host:*|unroute-client:*)
384 # connection to me or my client subnet being unrouted
385 downroute
386 ;;
387up-host:)
388 # connection to me coming up
389 # If you are doing a custom version, firewall commands go here.
390 ;;
391down-host:)
392 # connection to me going down
393 # If you are doing a custom version, firewall commands go here.
394 ;;
395up-client:)
396 # connection to my client subnet coming up
397 # If you are doing a custom version, firewall commands go here.
398 ;;
399down-client:)
400 # connection to my client subnet going down
401 # If you are doing a custom version, firewall commands go here.
402 ;;
403up-host:iptables)
404 # connection to me, with (left/right)firewall=yes, coming up
405 # This is used only by the default updown script, not by your custom
406 # ones, so do not mess with it; see CAUTION comment up at top.
407 iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
b14a8768 408 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
997358a6
MW		 409 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
410 iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
411 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
b14a8768 412 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
997358a6
MW		 413 #
414 # log IPsec host connection setup
415 if [ $VPN_LOGGING ]
416 then
bb7b613b 417 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
997358a6
MW		 418 then
419 logger -t $TAG -p $FAC_PRIO \
bb7b613b 420 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
997358a6
MW		 421 else
422 logger -t $TAG -p $FAC_PRIO \
bb7b613b 423 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
997358a6 424 fi
8b3b4a24 425 fi
997358a6
MW		 426 ;;
427down-host:iptables)
428 # connection to me, with (left/right)firewall=yes, going down
429 # This is used only by the default updown script, not by your custom
430 # ones, so do not mess with it; see CAUTION comment up at top.
431 iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
b14a8768 432 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
997358a6
MW		 433 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
434 iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
435 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
b14a8768 436 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
997358a6
MW		 437 #
438 # log IPsec host connection teardown
439 if [ $VPN_LOGGING ]
440 then
bb7b613b 441 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
997358a6
MW		 442 then
443 logger -t $TAG -p $FAC_PRIO -- \
bb7b613b 444 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
997358a6
MW		 445 else
446 logger -t $TAG -p $FAC_PRIO -- \
bb7b613b 447 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
997358a6
MW		 448 fi
449 fi
450 ;;
451up-client:iptables)
452 # connection to client subnet, with (left/right)firewall=yes, coming up
453 # This is used only by the default updown script, not by your custom
454 # ones, so do not mess with it; see CAUTION comment up at top.
455 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
456 then
457 iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
b14a8768
AS		 458 -s $PLUTO_MY_CLIENT $S_MY_PORT \
459 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
997358a6 460 iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
b14a8768
AS		 461 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
462 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
997358a6
MW		 463 fi
464 #
465 # a virtual IP requires an INPUT and OUTPUT rule on the host
466 # or sometimes host access via the internal IP is needed
467 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
468 then
469 iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
b14a8768
AS		 470 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
471 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
997358a6 472 iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
b14a8768
AS		 473 -s $PLUTO_MY_CLIENT $S_MY_PORT \
474 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
997358a6
MW		 475 fi
476 #
477 # log IPsec client connection setup
478 if [ $VPN_LOGGING ]
479 then
bb7b613b 480 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
997358a6
MW		 481 then
482 logger -t $TAG -p $FAC_PRIO \
bb7b613b 483 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
997358a6
MW		 484 else
485 logger -t $TAG -p $FAC_PRIO \
bb7b613b 486 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
997358a6
MW		 487 fi
488 fi
489 ;;
490down-client:iptables)
491 # connection to client subnet, with (left/right)firewall=yes, going down
492 # This is used only by the default updown script, not by your custom
493 # ones, so do not mess with it; see CAUTION comment up at top.
494 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
495 then
496 iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
b14a8768
AS		 497 -s $PLUTO_MY_CLIENT $S_MY_PORT \
498 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
997358a6
MW		 499 $IPSEC_POLICY_OUT -j ACCEPT
500 iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
b14a8768
AS		 501 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
502 -d $PLUTO_MY_CLIENT $D_MY_PORT \
997358a6
MW		 503 $IPSEC_POLICY_IN -j ACCEPT
504 fi
505 #
506 # a virtual IP requires an INPUT and OUTPUT rule on the host
507 # or sometimes host access via the internal IP is needed
508 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
509 then
510 iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
b14a8768
AS		 511 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
512 -d $PLUTO_MY_CLIENT $D_MY_PORT \
997358a6
MW		 513 $IPSEC_POLICY_IN -j ACCEPT
514 iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
b14a8768
AS		 515 -s $PLUTO_MY_CLIENT $S_MY_PORT \
516 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
997358a6
MW		 517 $IPSEC_POLICY_OUT -j ACCEPT
518 fi
519 #
520 # log IPsec client connection teardown
521 if [ $VPN_LOGGING ]
522 then
bb7b613b 523 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
997358a6
MW		 524 then
525 logger -t $TAG -p $FAC_PRIO -- \
bb7b613b 526 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
997358a6
MW		 527 else
528 logger -t $TAG -p $FAC_PRIO -- \
bb7b613b 529 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
997358a6
MW		 530 fi
531 fi
532 ;;
533#
534# IPv6
535#
536prepare-host-v6:*|prepare-client-v6:*)
537 ;;
538route-host-v6:*|route-client-v6:*)
539 # connection to me or my client subnet being routed
540 #uproute_v6
541 ;;
542unroute-host-v6:*|unroute-client-v6:*)
543 # connection to me or my client subnet being unrouted
544 #downroute_v6
545 ;;
b14a8768 546up-host-v6:)
997358a6
MW		 547 # connection to me coming up
548 # If you are doing a custom version, firewall commands go here.
549 ;;
b14a8768 550down-host-v6:)
997358a6
MW		 551 # connection to me going down
552 # If you are doing a custom version, firewall commands go here.
553 ;;
b14a8768 554up-client-v6:)
997358a6
MW		 555 # connection to my client subnet coming up
556 # If you are doing a custom version, firewall commands go here.
557 ;;
b14a8768 558down-client-v6:)
997358a6
MW		 559 # connection to my client subnet going down
560 # If you are doing a custom version, firewall commands go here.
561 ;;
b14a8768
AS		 562up-host-v6:iptables)
563 # connection to me, with (left/right)firewall=yes, coming up
564 # This is used only by the default updown script, not by your custom
565 # ones, so do not mess with it; see CAUTION comment up at top.
566 ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
567 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
568 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
569 ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
570 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
571 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
572 #
573 # log IPsec host connection setup
574 if [ $VPN_LOGGING ]
575 then
bb7b613b 576 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
b14a8768
AS		 577 then
578 logger -t $TAG -p $FAC_PRIO \
bb7b613b 579 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
b14a8768
AS		 580 else
581 logger -t $TAG -p $FAC_PRIO \
bb7b613b 582 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
b14a8768 583 fi
8b3b4a24 584 fi
b14a8768
AS		 585 ;;
586down-host-v6:iptables)
587 # connection to me, with (left/right)firewall=yes, going down
588 # This is used only by the default updown script, not by your custom
589 # ones, so do not mess with it; see CAUTION comment up at top.
590 ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
591 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
592 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
593 ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
594 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
595 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
596 #
597 # log IPsec host connection teardown
598 if [ $VPN_LOGGING ]
599 then
bb7b613b 600 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
b14a8768
AS		 601 then
602 logger -t $TAG -p $FAC_PRIO -- \
bb7b613b 603 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
b14a8768
AS		 604 else
605 logger -t $TAG -p $FAC_PRIO -- \
bb7b613b 606 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
b14a8768
AS		 607 fi
608 fi
609 ;;
610up-client-v6:iptables)
611 # connection to client subnet, with (left/right)firewall=yes, coming up
612 # This is used only by the default updown script, not by your custom
613 # ones, so do not mess with it; see CAUTION comment up at top.
614 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
615 then
616 ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
617 -s $PLUTO_MY_CLIENT $S_MY_PORT \
618 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
619 ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
620 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
621 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
622 fi
623 #
624 # a virtual IP requires an INPUT and OUTPUT rule on the host
625 # or sometimes host access via the internal IP is needed
626 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
627 then
628 ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
629 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
630 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
631 ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
632 -s $PLUTO_MY_CLIENT $S_MY_PORT \
633 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
634 fi
635 #
636 # log IPsec client connection setup
637 if [ $VPN_LOGGING ]
638 then
bb7b613b 639 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
b14a8768
AS		 640 then
641 logger -t $TAG -p $FAC_PRIO \
bb7b613b 642 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
b14a8768
AS		 643 else
644 logger -t $TAG -p $FAC_PRIO \
bb7b613b 645 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
b14a8768
AS		 646 fi
647 fi
648 ;;
649down-client-v6:iptables)
650 # connection to client subnet, with (left/right)firewall=yes, going down
651 # This is used only by the default updown script, not by your custom
652 # ones, so do not mess with it; see CAUTION comment up at top.
653 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
654 then
655 ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
656 -s $PLUTO_MY_CLIENT $S_MY_PORT \
657 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
658 $IPSEC_POLICY_OUT -j ACCEPT
659 ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
660 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
661 -d $PLUTO_MY_CLIENT $D_MY_PORT \
662 $IPSEC_POLICY_IN -j ACCEPT
663 fi
664 #
665 # a virtual IP requires an INPUT and OUTPUT rule on the host
666 # or sometimes host access via the internal IP is needed
667 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
668 then
669 ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
670 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
671 -d $PLUTO_MY_CLIENT $D_MY_PORT \
672 $IPSEC_POLICY_IN -j ACCEPT
673 ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
674 -s $PLUTO_MY_CLIENT $S_MY_PORT \
675 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
676 $IPSEC_POLICY_OUT -j ACCEPT
677 fi
678 #
679 # log IPsec client connection teardown
680 if [ $VPN_LOGGING ]
681 then
bb7b613b 682 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
b14a8768
AS		 683 then
684 logger -t $TAG -p $FAC_PRIO -- \
bb7b613b 685 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
b14a8768
AS		 686 else
687 logger -t $TAG -p $FAC_PRIO -- \
bb7b613b 688 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
b14a8768
AS		 689 fi
690 fi
691 ;;
997358a6
MW		 692*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
693 exit 1
694 ;;
695esac
Unnamed repository; edit this file 'description' to name the repository.